b'August 14, 2008\n\nGEORGE W. WRIGHT\nVICE PRESIDENT, INFORMATION TECHNOLOGY OPERATIONS\n\nSUBJECT: Audit Report \xe2\x80\x93 Application Control Review of the Time and\n         Attendance Collection System (Report Number IS-AR-08-014)\n\nThis report presents the results of our self-initiated audit of the Time and Attendance\nCollection System (TACS) (Project Number 07RG010IS000). Our objective was to\ndetermine whether TACS had sufficient controls in place to ensure that data and\ntransactions are valid, authorized, and completely and accurately processed.\nSpecifically, we reviewed controls surrounding input and approval of time records, user\nprivileges, user authentication, and data integrity. In addition, we evaluated the\nreliability of reporting, specifically the Employee Everything Report. This audit\naddresses operational risk associated with TACS. Click here to go to Appendix A for\nadditional information about this audit.\n\nConclusion\n\nWe determined TACS has sufficient application controls in place to ensure automated\nclock rings entered into the application were accurately accepted and processed. Also,\nwe determined the Employee Everything Report and related interface were operating as\nintended and accurately reported transaction results. However, the U. S. Postal Service\nhas an opportunity to strengthen least privilege controls, access controls, and security\nof sensitive information; and to improve Quality Assurance (QA) testing. The scope of\nour audit did not include a review of manual controls and supervisory responsibilities\nrelated to clock rings.\n\nElectronic Badge Reader Creation Software and Printer\n\nEmployee Social Security numbers (SSN) can be displayed through some TACS\napplication modules or printed on some TACS reports. The Postal Service took the\ninitiative to protect employees\xe2\x80\x99 confidential and sensitive information, as directed in\n\x0cApplication Control Review of the Time                                                             IS-AR-08-014\n and Attendance Collection System\n\n\npolicy,1 by using Employee Identification Numbers (EIN) for identification purposes\ninstead of SSNs. However, management had not updated the Electronic Badge Reader\n(EBR) creation software to use these EINs as the primary means of identification.2\nxxxxx x xxxxxxxxxxxxx xxxx xxxxxxxxxx (xx) xxxxxx xxx xxx xxxxxxxx xxxxxxxx xxxx\nxxxxxx xx xxxxxx xxxxxxxxxx xx xxxxxxxx xxxxxxxxxxxx xxx xxxxxxxxx xxxxxxxxxxx.\nClick here to go to Appendix B for our detailed analysis of this topic.\n\nDuring the course of our audit, the Postal Service took action to begin eliminating the\npresentation of sensitive data. A change to the EBR creation software allows for the\nsensitive information to be replaced by other data.3\n\nWe recommend the Vice President, Information Technology Operations, coordinate with\nthe Vice President, Controller, to:\n\n    1. Ensure management protects sensitive employee data used in the Electronic\n       Badge Reader Program by eliminating the presentation of confidential Social\n       Security numbers on computer screens and hardcopy reports by either obscuring\n       the data or replacing it with other non-sensitive data identifiers.\n\nPrivileged Database Accounts\n\nxxxxxxxxx xxx xxxxxxxx xxxxxxx xxxxxxxx (xxxx) xxxxxxxxx xxx xxx xxxxxxxxxx xxxxxxx\nxxxx x xxxxxx xxxxxxx xxxxxxxx4 xx xxxx xxxxxx xx xxxx xxxxxxxxxxx xxxxxxxxx xxx\nxxxx xxxxxxx. xxxx xxxxxxxxx xxxxxxx xxxx xxxxxxxx xx xx xxxxxxx xx xx xxxxxxxxxx\nxx xxxxxx xxxxxxxx xxxx xxx xxxxxxxx xxxxxxxxxxxxx xxxxx xx xxx xxxxxxxxx. xxxxxxx\nxxxxx xxx xxxx xxxxxxx xxx xxxxxxxx xx xxxx xxxxxx xx x xxxxxxxxxx xxxxxxx xxxx xxx\nxxxxxxx xxxxxxxxxxxxxx xxx xxxx xxx xxxxxx xxxx xxxxxx xxxxxxx xxxxxxx5 xxxxxxxx\nxxxx xxx xxxxxxxxxx xxxxxxxx xxx xxxxxxxx xx xxxxxxxxxxx xxxxxxxxx xxxxxxxxxxxxxx\nxxx xxxxxxxx xxxxxxxxxxxx xxx xxxxxxxxx xxxxx xxxxxx xx xx xxxxxxxxxxx x xxx xxx\nxxxxxxxx xxxxxxxx xx xxxx xxxxxx\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Information Technology Computing Services, to:\n\n    2. Assign privileged system and administration accounts to unique individuals.\n\n\n\n1\n  Handbook AS-805, Information Security, dated March 2002 (updated with Postal Bulletin revisions through\nNovember 23, 2006), Section 3-5.2.\n2\n  xxxxxxxx xxxx xxx xxxxxxx xx xxx xxxxxxxx xxxxx xx xxx xxxxx xxx xxxx xx xxx xxxxxxx xxxxx xx xxxxxxxxxxxxxx.\n3\n  xxxxxx xxxx xxxx xxx xxx xxxxxxx xx xxxxxxx xxxxxxxx xxxxx xx xxxxxxxxxx xx xxxx xxxxxx xxxxxx xx x xxxxxxxx\nxxxxxx xxxxxxxxxx xxx xxxxxxxx xxxxx xx xxxxx xxxxxx xxxxxxxxx xxx xxxxxxxxxx xxx. xxx xxx xxxxxx xxxxxx xxx\nxxxxxxx xxxxxxxx xxxxx xx xxxxx xx xx xxxxxxxxx xxxx xxxxxx xxx xxx xx xxx xxxxxxxxxx xxxxxxxxxxx xxx xxxxxxxx\nxx xxx xxxxx xxxx xxxx xxxxxx xxxx xx xxxxxxxxxxx xx xxxx xxxxxxx xxx xxxxxx xxxx xx xxxxxx xxxx xxxxxxx xxxx\nxxxxxxx xx xxxx.\n4\n  xxxxxxxxx xxx xxxxxxxxxx xxxxxxx xxxxxxxx xx xxxx xxxxxxx xxxxxxxxxxxxx xxxxx x xxxxx.\n5\n  Handbook AS-805, Information Security, Section 9-5.3.2.\n\n                                                       2\n                                            Restricted information\n\x0cApplication Control Review of the Time                                                              IS-AR-08-014\n and Attendance Collection System\n\n\n    3. Ensure privileged account passwords are not shared and password renewal\n       practices comply with Postal Service policy.\n\nEncryption of Sensitive Information\n\nXxx Xxxxxx Xxxxxxx xxxxxx xxxxxxxxxxxx xxx xxxxxxxxx XXXX xxxx xx xxxxx xxxx\nxxxxxxxxxxxxx xxxx. Xxxxxx Xxxxxxx xxxxxx6 xxxxxxxxxx xxxxx xxxxxxxxxx xx xxx\nxxxxxxx xxxxx xxx xxxxxxxxx xxxxxxxxxxxxxxx xxxxxxxx xxx xxxxxxxxxxx xxxxxx xxxx\nxxx xxxxxxx. xx xxx xxxx xx xxxx xxxxxxxxxxxxxx, xxx xxxxxx xxxxxxx xxx xxx xxx\nxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xx xxxxxxx xxx xxxx. xx x xxxxxx, xxxxxxxxxxxx xxx\nxxxxxxxxx xxxxxxxxxxx xxx xx xxxx.7 xxxxx xx xx xx xxxxxxxx x xxx xxx xxxxxxxx\nxxxxxxxx xx xxxx xxxxx.\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Finance Business Systems Portfolio, to:\n\n    4. Encrypt sensitive Time and Attendance Collection System data being stored in\n       application files.\n\nTime and Attendance Collection System Testing Environment\n\nThe TACS QA testing environment does not mirror the production environment and\npersonnel cannot completely test all modifications with absolute assurance. Best\npractices and Postal Service policy recommend ensuring test environments are\nrepresentative of the production operating environment and changes to the production\nenvironment are replicated in the test environment.8 As changes to the production\nenvironment occurred, the Postal Service did not replicate them in the QA testing\nenvironment. A QA testing environment which mirrors production helps ensure changes\nwill be adequately tested before being introduced into the production environment.\nClick here to go to Appendix B for our detailed analysis of this topic.\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Finance Business Systems Portfolio, to:\n\n    5. Update the Quality Assurance testing environment to mirror the production\n       environment.\n\n\n\n\n6\n  Handbook AS-805, Section 9-8.2.\n7\n  xxxx xxx xxxxx xxxxxxxx xxx xxxxxxxxx xxxxxxxxxxx xxx xxxxxx xx xxxxxxxxx xxx xxxx xxxx xx xxxxxxxxxxx xxxxxx\nxxx xxxxxx xxxxxxxxx \xe2\x80\x9cxxxxxxx xxxxxxx.\xe2\x80\x9d xxxxxxxxx xxxx xxxxxx xx xxxx xxxx xxxxx xxxxxxxxxxx xxx xx xxxxxxx xx\nxxx xxxxxx xxxxxxxxx xxxx xx xxxxxxx, xx x xxxxxx xxxxxxxxxxxx xxxx xxxxxx xxx xxxxxxxxxx.\n8\n  Information Systems Audit and Control Association\xe2\x80\x99s COBIT AI7.4 Test Environment, IT Governance Institute, 2007,\nand U.S. Postal Service Development and Operations Security Policy, Section 5, (not dated).\n\n                                                        3\n                                             Restricted information\n\x0cApplication Control Review of the Time                                                                 IS-AR-08-014\n and Attendance Collection System\n\n\nAccess to Production Database\n\nThree Postal Service TACS developers had both read-only access to the TACS\ndatabases and unrestricted access privileges at the TACS business application level.\nHaving both business user and database accounts allows developers to have inherited\n(accumulated) rights,9 which put confidential and sensitive data at unnecessary risk.\nPostal Service policy10 states that developers must not have access to production\napplication systems. Management approved developer access to production\napplication systems, as well as unrestricted read-only access to production databases,\nin order to expedite the handling of TACS change requests. Click here to go to\nAppendix B for our detailed analysis of this topic.\n\nDuring the course of our audit, the Postal Service implemented changes to restrict\ndevelopers to read-only access to production databases for application support. All\naccess capabilities granting write, update and delete privileges were removed.\nTherefore, we are not making any recommendations to address this issue.\n\nSensitive Information Available to Users\n\nxxxx xxxxx xxx xxx xxxxxxx xx xxxx x xxxx xx xxxx xx xxxxx xxx xxxx xxxxx xxxx xxxxxx\nxxxxxx. Postal Service policy11 states management must protect sensitive information\nfrom unauthorized access and disclosure and restrict access to authorized personnel\nwith a need to know. xxx xxxxxxx xx xxxx xxxxx xxxx xxxxxxxx xxx xx x xxxxxxxxxxxxx\nxxxxxxxxx xxxx xxxx xxxx xxxxxxxx xx xxxx xxxxxx xxx xxxx xxxxxxxxxxx.12 This\nresulted in TACS users being able to obtain confidential and sensitive employee\npersonal information.\n\nDuring the course of our audit, the Postal Service made appropriate changes ensuring\ndisplayed employee SSNs were protected xx xxxxxxxxx xxxx xx xxx xxxxx xxxx xxxxxx\nxx xxx xxx xxxx xxx xxxxxx xxxx Therefore, we are not providing recommendations for\nthis issue.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with recommendations 1, 2, 4, and 5 and partially agreed with\nrecommendation 3. Regarding recommendation 1, management changed the TACS\nbadge card report to eliminate display of the SSNs. Management also will direct a\nxxxxxxxx xxxxxxxxxxxxxx xxxxx xxxxx xxxxxxxx xxxx xxxxxxx xxxx xxxxxx xxxx xxx\nxxxxxx xxxxxxx xxxx xxx xxx xx xxxxxxxxx xxxx xx xxxxxxxxx xxx xxxx.\n\n9\n  Coupled with their business accounts, which grant read, write, update, and delete privileges, developers can access\ndatabases with these assumed privileges and their actions will not be tracked based on their approved access to the\ndatabases.\n10\n   Handbook AS-805, Section 8-3, and U.S. Postal Service\xe2\x80\x99s Development and Operations Security Policy, Section 5.\n11\n   See footnote 1.\n12\n   When xxxxxxxxxx xxxxxxxxxxxx xxx xxx xxxx xxxxx xxxxxxxx xxxxxxxxxxxx, xxxx xxx xxx xxxxxx xxxx xxxxxx\nxxxxxx.\n\n                                                         4\n                                              Restricted information\n\x0cApplication Control Review of the Time                                       IS-AR-08-014\n and Attendance Collection System\n\n\n\nFor recommendation 2, management stated the XXXX team will develop processes to\nmigrate from using shared privileged accounts to unique individual accounts by January\n30, 2009.\n\nConcerning the partial agreement with recommendation 3, management stated it is\nxxxxxxxxxxx xxxxxxxxxx xx xxxxx xxxxxxx xxx xxxxx xxx xxxxxxxx xxxxxxxx, xxxxx xxx\nxxxxxxxx xx xxxxxx xxx xxxxxxxx xx xxxxx xxxxx xxxx xxx xxxxxxxxxx. However,\nmanagement stated they would use a software tool as a compensating control to\nmonitor use of these accounts and to record an audit trail of activity. Management\nagreed with the password renewal compliance and stated that XXXX would implement\nthe renewal policy on TACS and all other databases. Management will research the\nmarketplace and provide a recommended solution by December 30, 2008, for a\nsoftware tool to manage the change of a large numbers of passwords at a time.\n\nxxxxxxxxx xxxxxxxxxxxxxx x, xxxxxxxxxx xxxxxx xxx xxxxxxxxxx xxxxxxxx xxxxxxx\nxxxxxxxxx xxxxxx xx xxxxxxxxxxx xx xxxxxxxxxx xxxxxxxx xxxx xxx xx xxxxxxxxxxx\nxxxxxxx xxxxxxxxxx xxx xxxxxxxxxxx xxxxxxxxx, xxx xxxx xxxxxx xxx xxxxxxx xxx\nxxxxxxxx xxxxxxxxxxxx. xxxxxxxxxx xxxx xxxxxxx x xxxxx xx xxxxxxx xx xxx xxxxxxxxx\nxx xxxxx xx, xxxx xxx, xx xxxxxxxxxx, xxxx xxxxxxxxx xxxxxxxxxx xx xxxxx xx, xxxx.\n\nFinally, for recommendation 5, management stated they are investigating and designing\nthe TACS test environment architecture as part of an initiative to become compliant with\nSarbanes-Oxley. They will complete this effort by September 30, 2009. Management\xe2\x80\x99s\ncomments, in their entirety, are included in Appendix C.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations, and their corrective actions should\nresolve the issues identified in the report.\n\n\n\n\n                                                    5\n                                         Restricted information\n\x0cApplication Control Review of the Time                                      IS-AR-08-014\n and Attendance Collection System\n\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Gary C. Rippie, Director,\nInformation Systems, or me at (703) 248-2100.\n\n   E-Signed by Tammy Whitcomb\n VERIFY authenticity with ApproveIt\n\n\n\n\nTammy L. Whitcomb\nDeputy Assistant Inspector General\nfor Revenue and Systems\n\nAttachments\n\ncc: Ross Philo\n    Lynn Malcolm\n    Harold E. Stark\n    Joseph J. Gabris\n    Jo Ann E. Mitchell\n    Carol A Reich\n    David M. Stauffer\n    William E. Koetz\n    Christine L. Souter\n    Kathleen A. Warnaar\n    Katherine S. Banks\n\n\n\n\n                                                    6\n                                         Restricted information\n\x0cApplication Control Review of the Time                                                                 IS-AR-08-014\n and Attendance Collection System\n\n\n                           APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nTACS is one of the largest Postal Service web-based applications providing real-time\nwork hour data to help manage day-to-day operations. TACS accounts for the work\nhours of more than 650,000 Postal Service career and non-career employees and\nnearly $2 billion in salaries and benefits employees receive each pay period. TACS\nensures all employees are paid by a uniform set of rules at a national level and\neliminates differences in how payroll information is calculated for T&A. Employees\xe2\x80\x99 time\ncan be entered into TACS in three different ways.\n\n     \xe2\x80\xa2   Electronic Badge Reader \xe2\x80\x93 Employees swipe their badges at the beginning and\n         end of their tours and when leaving for or returning from their designated lunch\n         periods, generating a clock ring. Supervisors manually input all employee leave.\n         These clock rings are written to the TACS database and are automatically\n         accepted by TACS.\n\n     \xe2\x80\xa2   Timecards \xe2\x80\x93 Employees record their time on a timecard, which may be entered in\n         one of two ways: (1) an employee\xe2\x80\x99s supervisor logs on to the TACS application\n         and enters timecard data into the Timecard Entry Module, or (2) a supervisor will\n         call an 800 telephone number to establish a connection with TACS Voice\n         Response13 (TVR) and use a typical telephone numeric touch pad to enter the\n         employee\xe2\x80\x99s time into the TACS application.\n\n     \xe2\x80\xa2   Auto-Rings \xe2\x80\x93 Exempt employees can be established in TACS on auto-rings.\n         Under this option, the employee\xe2\x80\x99s schedule is pre-populated in the TACS\n         application, requiring only that deviations from their schedule be manually\n         entered into the application.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine whether TACS has sufficient controls in place to ensure\nthat data and transactions are valid, authorized, and completely and accurately\nprocessed. Specifically, we reviewed controls surrounding input and approval of time\nrecords, user privileges, user authentication, and data integrity. In addition, we\nvalidated the reliability of reporting for the Employee Everything Report.14\n\nWe gathered documentation and interviewed Postal Service personnel to identify and\nassess existing application controls in the TACS application. We limited our scope to\nthe actual clock rings as entered into the application. Our audit did not include tests to\ndetermine that the information captured by the clock rings was accurate.\n13\n  TVR is used at small offices which do not have Internet connection.\n14\n  Ernst and Young requested that we attest to the reliability of the Employee Everything Report for the purpose of\nplacing reliance on the accuracy of this report for their audit of the Postal Service\xe2\x80\x99s financial statements.\n\n                                                         7\n                                              Restricted information\n\x0cApplication Control Review of the Time                                                                  IS-AR-08-014\n and Attendance Collection System\n\n\n\nWe tested the input of clock rings into the Clock Ring Editor Module and the Timecard\nEntry Module of TACS. xxxxx xxxxx xxxx xxxxxxxxx xxxx xxxxxxxxxxx xxxxxxx xxx xx\nxxxxxxx xxxxxxxxxxx xxx xxx x xxxxxx xx xxxxxxxxxx. xxx xxxxxxx, xxx xx xxxxxxx\nxxxxxxxxxxx xxxx xxx xxxx xxx xxxxxxxxxx xx xxxx xxxxx xxxxx xxxxxxx xxxx xx xxx.\nxxxxx xxxxx xxxx xx xxxxxxx xxxxxxxx xxxx xxx xxxxx xxxx xxxxxx xxxxxx xx xxx\nxxxxxxxxxxx xxx xxx xxxx xxxxxxxxx. We created several testing scenarios based on\nbusiness rules of the application. We performed some of these scenarios to create\nerror outcomes, and some to create non-error outcomes. For example, based on\nbusiness rules we would expect the application to produce an error if an employee\xe2\x80\x99s\nwork hours exceeded the scheduled 40 hours per week and no overtime was\nauthorized. After creating scenarios for both the Clock Ring Editor Module and\nTimecard Entry Module, we input the testing scenarios into TACS and analyzed our\nresults.\n\nWe tested the reliability of the computer-generated output presented in the Employee\nEverything Report. After obtaining a sample of employees, we ran an Employee\nEverything Report for all hours processed and recorded by TACS. We queried the\ndatabase and used scripts provided by the TACS development team to obtain the raw\nrings entered into the application and written to the database. We performed a line-by-\nline analysis of this data to verify that all information input into the application processed\nas expected.\n\nWe conducted this performance audit from June through November 2007 and March\nthrough August 200815 in accordance with generally accepted government auditing\nstandards and included such tests of internal controls as we considered necessary\nunder the circumstances. Those standards require that we plan and perform the audit\nto obtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjective. We discussed our observations and conclusions with management officials\non July 15, 2008, and included their comments where appropriate.\n\n\n\n\n15\n     We did not work on this audit from December 2007 through February 2008 due to the unavailability of resources.\n\n                                                           8\n                                                Restricted information\n\x0cApplication Control Review of the Time                                                        IS-AR-08-014\n and Attendance Collection System\n\n\nPRIOR AUDIT COVERAGE\n\n                                           Final\n                    Report Number         Report       Monetary\n   Report Title                            Date         Impact                 Report Results\nInternal Controls   NO-AR-07-008         August 24,       N/A       Internal controls ensuring the\nOver Operation                             2007                     accuracy of clock rings were in place\nClock Rings at                                                      and generally effective. However,\nthe Margaret L.                                                     based on our statistical sample of\nSellers                                                             220 employees, 7 percent were\nProcessing and                                                      clocked into the incorrect operation\nDistribution                                                        which could result in management\nCenter                                                              making incorrect decisions about\n                                                                    resource allocations and the\n                                                                    productivity of individual operations.\n                                                                    In addition, management could\n                                                                    improve internal controls over\n                                                                    timecard security.\nAudit of            IS-AR-07-016         August 20,       N/A       The Postal Service needs to\nDatabase                                   2007                     strengthen controls and processes\nAdministration                                                      surrounding access controls,\nPractices                                                           segregation of duties and database\n                                                                    administration. Specifically,\n                                                                    improvements are needed for\n                                                                    controlling developers\xe2\x80\x99 access to\n                                                                    production databases and for\n                                                                    managing user accounts.\n\n\n\n\n                                                      9\n                                           Restricted information\n\x0cApplication Control Review of the Time                                                              IS-AR-08-014\n and Attendance Collection System\n\n\n                               APPENDIX B: DETAILED ANALYSIS\n\nElectronic Badge Reader Creation Software and Printer\n\nSystem queries or reports often displayed or printed confidential SSN data. xxxx\nxxxxxxxx xxxxxxx xxx xxx xxxxxxxx xxxxxxx, xxxxx xxxxxxx xxx xxxxxx xxxxxxxx\nxxxxxx, xxxx xxx xxx xx xxx xxxxxxx xxxxx xx xxxxxxxxxxx xxxxxxxxx. xxxx xxxxxxxxxx\nxx xxxxxxx xx xxx xxxxxxxx xxxxx xx xxx xxxxxxx xxxx xx xxx xxxxx.16 Employees\nswipe their badges at EBR stations and generate clock rings. These clock rings are\nwritten to the TACS database and made available to the TACS application. xxxx xxx\nxxxx xxxxxxxx xx xxxxx xxxxxxxxxxxx xxxx xxxxxxxxx xxxx xxxx, xxxx xx xxxxxxx.\nPostal Service policy17 states sensitive information must be protected from unauthorized\naccess and disclosure, restricting access to authorized personnel having a need to\nknow. The elimination of this confidential data from the EBR program will prevent\nunauthorized personnel from viewing it in TACS reports.18\n\nDuring the course of our audit, the Postal Service began eliminating the presentation of\nsensitive data. x xxxxxx xx xxx xxx xxxxxxxx xxxxxxxx xxxxxxx xxx xxx xxxxxxxxx\nxxxxxxxxxxx xx xx xxxxxxxx xx xxxxx xxxx.\n\nPrivileged Database Accounts\n\nxxxxxxxxx xxx xxxx xxxxxxxxx xxxxxxx xxx xxxxxxxxxx xxxxxxx xxxx x xxxxxx xxxxxxxx\nxxxxxxxx19 xx xxxx xxxxxx xx xxxx xxxxxxxxxxx xxxxxxxxx xxx xxxx xxxxxxx. XXXX\noperates 7 days a week, 24 hours a day, and some changes may need to be made\nduring off hours when the primary DBA is not available. These changes result from\nchange requests that are tracked in the remedy system. XXXX personnel receive the\nremedy ticket and tested scripts from the developers and incorporate the changes into\nthe application database using the shared privilege account and password.\n\nThese practices do not comply with Postal Service policy. xxxxx xxx xxxx xxx xxx xxxx\nxxxxxxx xxx xxxxxxxx, xxxxx xx xx xxxxxxxxxxxxxx xxxxxx xxxxx xx xxxxxxxx xx xx xxx\nxxxxxxxx xxxxx xxxxxxx. xxxxxx xxxxxxx xxxxxx20 xxxxxx xxxx xxxxxxxxxx xxxxxxxx\nxxxxxx xx xxxxxxxxxx xx xxxxxxxxx xxxxx xxxxxx xxxxxxx xxxxxxxxxx xxxxxxxxxx;\nxxxxxxxx xx xxxxxx xxxxxxxxxxx; xxxxxxxxxx xxx xxx xx xxxxxxxxxx xxx xxx xxxxxxxxx\nxxxxxxxx xx xxx xxxxxxxxxx xxxxxxx; xxx xxxxxxxx xx xx xxxxx xxxxx. Also, policy21\nstates that passwords for privileged accounts must be changed at least every 30 days\nand as quickly as possible upon departure of a system or DBA to maintain the security\nand integrity of the system.\n\n16\n   xxx xxxxxxxx xxxxx xxxxxxxx xxx xxxxxxxx xxxxx xx (xxxxxxxxx xxxxx, xxxxxxxxx xxxx, xxx xxxxx xxxx xxx xxxxx\nxxxxxxxx xxxxxx xxxxxxxxxxxxxxx.\n17\n   xxx xxxxxxxx x.\n18\n   xxx xxxxx xxxxxxxxxxx xxxxxx xxx xxx xxxx xxxxx xxxxxx xxx xxxxxxxx xx xxxxxxx xxxx xxxxxxx xxxx.\n19\n   xxxxxxxxx xxx xxxxxxxxxx xxxxxxx xxxxxxxx xx xxxx xxxxxxx xxxxxxxxxxxxx xxxxx x xxxxx.\n20\n   Handbook AS-805, Section 9-5.3.2.\n21\n   Handbook AS-805, Section 9-7.1.6 and 6-7.3.\n\n                                                       10\n                                             Restricted information\n\x0cApplication Control Review of the Time                                                IS-AR-08-014\n and Attendance Collection System\n\n\n\nEncryption of Sensitive Information\n\nxxxx xxxxxxxxxxxx xxx xxxxxxxxx xxxx xxxx xx xxxxxxxxx xxxxxx xx xxxxx xxxx\nxxxxxxxxx. xxx xxxxxxx, xxxx xxxxxx xxxxxxxx xxxx xx xxx xxxxxxxx xxx xxxxxxxx\nxxxxxxxxxxxxxx. xxxxxx xxxxxxx xxxxxx22 xxxxxx xxxxxxxxxxx xx xxx xxxxxxx xxxxx\nxxx xxxxxxxxx xxxxxxxxxxxxxxx xxxxxxxx xxx xxxxxxxxxxx xxxx xxx xx xxxxxx xx xxxx\nxxxxxxxxx-xxxxxxxxxx xxxxxxxxxxx xxxxxxxxxxx xxxx xxxx xxx xxxxxxxxxx xx xxxxxxx\nxxxxxxxxx xxxxxx xxxxx xxxxx xx, xxxx, xxxxxx xxxx xxxx xxxxxxxxxx xxxxxx xxxxxxxx\nxxxxxxxxxx xxx xxxxxxxx xxxx xxxx xxxxxxxxxxx xxxxxxx xxxx xx xxxxxxxxxxx.\n\nxx xxx xxxx xx xxxx xxxxxxxxxxxxxx, xxx xxxxxxx xxxxxxxx xxxxxxx xxxx xxx xxx xxxx\nxxxx xxxxxxx xxxxxxxx xxxx xxxxxx xxx xxxxxxxxxx xxx xxx xxx xxxxxxx xxxx xx\nxxxxxxxxxx xxxxx xxx xxxxxxxxxxx xxx xxxxx xxxxxx xxxxxx xxx \xe2\x80\x9cxxxxxxx xxxxxxx.\xe2\x80\x9d\n\nTime and Attendance Collection System Testing Environment\n\nThe QA testing environment does not mirror production. Specifically, there are program\nversion and processing differences with infrastructure. The QA testing environment\ndoes not currently have an EBR to test changes before implementing them into\nproduction. Changes to the TACS application are tested using data manually input to a\nTACS application module whereas the majority of data in TACS is captured via EBR.\n\nBest practices promoted by the Information Systems Audit and Control Association\nrecommend ensuring that test environments are representative of the production\noperating environment and changes to the production environment be replicated in the\ntest environment.23 Postal Service policy states:\n\n        \xe2\x80\xa6the testing environment must be representative of the operating\n        landscape, including likely workload stress, operating system, technology\n        solution software, database management systems, and network/\n        computing infrastructure found in the production environment. As the\n        production environment changes, the test environment must also change\n        to stay in synchronization.24\n\nAccess to Production Database\n\nxxxxx xxxxxx xxxxxxx xxxx xxxxxxxxxx xxx xxxx xx xxxxxxxx, xxxx-xxxx xxxxxxx xx xxx\nxxxx xxxxxxxxx xxx x xxxxxxxx xxxx xxxxxxx, xxxxx xxxxxxx xxxx,xxxxxx,xxxxxxx, xxx\nxxxxxx xxxxxxxxxx xx xxx xxxx xxxxxxxx xxxxxxxxxxx xxxxx. xxxxxx xxxxxxx xxxxxx25\nxxxxxx xxxx xxxxxxxxxx xxxx xxx xxxx xxxxxx xx xxxxxxxxxx xxxxxxxxxxx xxxxxxx.\nxxxxxxx, xx xxxxxxxxx xxxxxx xx xxxxxxxxxx xxxxxxxxxxx xx xxxxxxxxx, xx xxxx xx\n22\n   Handbook AS-805, Sections 9-8.2 and 3-5.5.2.\n23\n   Information Systems Audit and Control Association, COBIT AI7.4 Test Environment.\n24\n   U.S. Postal Service\xe2\x80\x99s Development and Operations Security Policy, Section 5.\n25\n   Handbook AS-805, Services, Section 8-3.\n\n                                                      11\n                                            Restricted information\n\x0cApplication Control Review of the Time                                                                        IS-AR-08-014\n and Attendance Collection System\n\n\nxxxxxxxxxx xx xxxxxxx xx xxxxxxxxx xxxxxxxx, xxx xxxxxx xxxx xx xxxxxxxxx, xxx xxxxx\nxxxxxxx xxxx xx xxxxxx xx xxx xxx xxxxxxxxx xxx xxxxxxxx xxxxxxxxxxxx.26 xxxxxx\nxxxx xxxxxxxx xxx xxxxxxxx xxxx xxxxxxxx xxxxxx xxx xxxxxxxxx xx xxxx xxxxxxxxx\nxxxxxxxxxxxxx xxxxxx, xxxxx xxxxx xxxx, xxxxx, xxxxxx, xxx xxxxxx xxxxxxxxxx xx xxx\nxxxxxxxx (xxx xxxx xxxxxxxxxxx) xxxxx.27 xxx xxxxxxx,xxxxx xxxxxxx xxxxxxxxxx xx\nxxxxxxxxxxx xxxxxx xxxx xxxxxxx xx xxxxxxxxxx xxxxxxxxx xxxxxxxxx xx xxxxxxxxxx\nxxxxxxxx. xxxxxxxx xxxxxxxxxx xx xxxx xxxx xxxxxx xxxx xxxxxxxxxxxx xxx xxxxxxxxx\nxxxx xx xxxx xx xxxxxxxxxxxx xxxxxxxxx, xxxxxxxxxxxxx, xxx xxxxxxxxx,xxxx xxxx xxx\nxxxxxxxxxxxx xxxxx xxxxxx xxxxxxxxx xxx xxxxxxxxxx xx xxxxxx xxxx xxxxxxxxx.\n\nDuring the course of our audit, the Postal Service implemented changes to ensure\ndevelopers only have read-only access to production databases for application support.\nAll access capabilities granting write, update and delete privileges were removed.\n\n\n\n\n26\n   Based on Handbook AS-805, Section 3-3.1, sensitivity determines the need to protect the confidentiality and\nintegrity of the information. The three levels of sensitivity are (1) sensitive, (2) business-controlled sensitive, and (3)\nnon-sensitive. Criticality reflects the need for continuous availability of the information. The three levels of criticality\nare (1) critical, (2) business-controlled critical, and (3) non-critical.\n27\n   xx xxxxxxxx xx xxx xxxxxx xxxxxxxxxxxx, xxxxxxxx xxxxxxxxxx xxxxxxxxx, xxxxx xxxxxx xx, xxxx, xxxxxxxxxxxxxx\nxxxxxxx xxxx xxxxxxxxx xxxxxx xx xxx xxxxxxxx xx xxxxxxx xxxxx xx xxx xxxx xxx xxxxxxxx xxxxxxxxxxx. x xxxxxx\nxxxxxx xxxx xxxxxxxxx xx xxxxxxx xxx,xxxxxx xx xxxx xxxxxx, x xxx xxxx xxxxxx x xxxxxxxxxxx xxxxxxx xxx xxxxx\nxxxxx xxxxxxxx xxx x xxxx. xxxxxxxxxx xx xxx x xxxx, xxx xxxxxxxxxxx xxxxxxx xxxx xxxxx xx xxxxxx xxx xxxx xxxx\nxxxx xx xxxxxx xxxxxxx xxxxxx xxxxxx xx xxxxxxxx xxx xxxx xx xxx xxxxxxxxx. xxxxxxxxx xxxxx xxxxxxxx xxxxxx\nxxxx xx xxxxx xxxxxx xx xxx xxxxxxxx xxx xxxxxxxxxx xxxxxx xxxxxxxxxxxxxxxxxx xxx xxx xxxx xxxxxxxxxx xxxxxxxx\nxxx xxxxxxxxxx.\n\n                                                           12\n                                                 Restricted information\n\x0cApplication Control Review of the Time                            IS-AR-08-014\n and Attendance Collection System\n\n\n                        APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                   13\n                                         Restricted information\n\x0cApplication Control Review of the Time                            IS-AR-08-014\n and Attendance Collection System\n\n\n\n\n                                                   14\n                                         Restricted information\n\x0cApplication Control Review of the Time                            IS-AR-08-014\n and Attendance Collection System\n\n\n\n\n                                                   15\n                                         Restricted information\n\x0c'